In chapter 8 we look at Controls specifically designed for the Information Systems Function.
COBIT (Control Objectives for Information & Related Technology)
COBIT is the widely adopted framework for IT governance and IT controls. It was created by the Information Systems Audit and Control Association and the IT Governance Institute in 1992. Its purpose is to provide guidance on the best practices for the management of information technology. IT resources (see below) must be managed by IT control processes in a way that allows an organization to achieve its objectives. COBIT supports IT governance by providing a framework to ensure that IT is aligned with the business, IT maximizes benefits, IT resources are used responsibly and IT risks are managed appropriately, thus reducing the possibility that risks will occur.
IT resources:
Data (information in all their forms)
Application sytems (automated systems and manual procedures that process info)
Technology & Facilities (make up the infrastructure that enable the processing of the applications)
People (personnel who plan, organize, acquire and evaluate information systems and services)
COBIT's defintion of Control: "The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected."
-Difference between the COBIT's definition and book definition is the COBIT definition adds the idea that controls should address "undesirable events." More Information on COBIT http://www.itmanagersjournal.com/articles/11014?tid=88 More details about COBIT
Information Systems Function (ISF):
The information systems function in an organization has a broad responsibility to plan, develop or acquire, implement, and manage an infrastructure of information technology (computers and communications), data (both internal and external), and enterprise-wide information processing systems. It has the responsibility to track new information technology and assist in incorporating it into the organization's strategy, planning, and practices. The function also supports departmental and individual information technology systems. The technology employed may range from large centralized to mobile distributed systems. The development and management of the information technology infrastructure and processing systems may involve organizational employees, consultants, and outsourcing services.
Types of Organizational structures for ISF:
Centralized:CIO is the central leader of all the information system functions. In practice, organizations have structured their information systems function in ways other than the centralized arrangement illustrated in Figure 8.2 on page 261.
Decentralized:Assigns personnel to non-central organizational units
Functional: Assigns personnel to skill based units of which can be used by both centralized and decentralized organizations. Characterized by specialization. Results in less duplication of effort.
Matrix: Assembles teams or work groups, comprised of members from different functional areas of operations, under the leadership of one authority. Assigns workers to 2 or more supervisors in an effort to ensure multiple dimensions of the business are integrated.
Project: Establishes permanent systems develoment structures. Based on project, product, or geographical location (purpose). Good for training generalists.
Key control concerns (similar to business exposures) for the various ISF functions.
Pervasive data conversion errors
Unauthorized software changes
Unauthorized computer operations
Problems not being resolved in timely manner
Acquired technology is consistent with organizational resource plans and technology infrastructure ----
COBIT Control Process Domains:
The four domains are: Planning and Organizing (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (M). After each of the first three domains, there is feedback that goes back to monitoring and evaluating to make sure that everything is running smoothly. There are 34 processes in total for COBIT.
Planning and Organization
Process #1: Establish Strategic Vision for Information Technology
This is the process whereby the management of the information services takes steps to make sure that the organization is getting the most out of the IT resources employed by the company. They are attempting to ensure that the organization is employing their IT resources in a way that will be ready to successfully respond to any competitive threats that arise or take advantage of any competitive opportunities that arise.
Basically, if you don't know where you're going, you either a) won't get there or b) won't know when you get there
Further, if the strategic vision is not tied into the strategic vision for the overall company, the organization/IT department will waste time and efforts and possibly invest in the wrong technology. This also helps ensure that the IT department receives adequate funding to develop or acquire needed technology.
Corresponding Elements:
A summary of the organizational strategic plan's goals and strategies, and how they are related to IT.
IT goals and strategies, and a statement of how each will support organizational goals and strategies.
An information architecture model encompasing the corporate data model and the associated information systems.
An inventory of current IT capabilities.
Acquisition and development schedules for hardware, software, and application systems and for personnal and financial requirements.
IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including safety, privacy, transborder data flows, e-business, and insurance contracts.
Safety and privacy issues also create massive legal liability for the organization that can be shown to NOT adequately protect its customers data, thus rendering them vulnerable to identity theft
Also, if our customers do not trust us with their personal and financial data, we very soon will not HAVE customers and will be out of business shortly thereafter
IT risks and the risk action plan.
Process for modifying the plan to accomodate changes to the organization's strategic plan and changes in IT conditions.
Process #2: Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision
Organizational Control Plans: Management must establish a direction and related polices providing framework of positive control environment and must be communicated to obtain commitment and compliance. Project management and quality management are critical components of overall control.
Segregation of Duties Control Plan: This is the most critical -- and most fundamental -- part of a good internal control system. It is also the easiest and cheapest to implement. Basically, there should never be a situation in which one person has custody of physical assets and the ability to approve, record, or execute transaction relating to those events. The danger of collusion is always present, even in systems with adequate segregation of duties. In smaller organizations, there may not be enough personnel to adequately seperate duties, and compensatory controls may be needed.
Authorizing Events-
Approve phases of event processing.
Executing Events-
Physically move resources.
Complete source documents.
Recording Events-
Record events in books of original entry.
Post event summaries to the general ledger.
Safeguarding Resources Resulting from Consummating Events-
Physically protect resources.
Maintain accountabilty of physical resources.
Organizational Control Plans for the IT Organization:
The ISF acts in a service capacity for other operating units in the organization. Mainly limited to recording events and posting events summaries.
Approving events, executing events, and safeguarding resources should be carried out by other departments outside of the Information System Department.
WITHIN IT segregate duties to control unauthorized use of and/or changes to the computer and its stored data and programs.
Personnel Control Plans:
Selection and Hiring Control Plans: Qualified personnel with technological background.
Candidates applying for these positions should be carefully screened -- DO the background check and VERIFY the education and work background claimed.
Retention Control Plans: Provide challenging work and opprotunites for advancement.
If employees become bored and frustrated, they will leave -- hiring and training costs are some of the highest in the organization, so lower employee turnover is highly desirable.
Personnel Development Control Plans: Training and development.
Training must be regular, relevant, timely, and not haphazard.
Training is needed at all levels, including basic user skills for IT department "clients".
Personnel Management Control Plans:
Personnel Planning Control Plans -- project future managerial and technical skills of the staff, anticipate turnover, and develop a strategy for filling necessary positions.
Job Description Control Plans -- lay out responsibilities for each position on an organization chart and identify resoruces to be used in performing these responsibilities.
Supervision Control Plans -- processes of approving, monitoring, and observing performance of others.
Personnel Security Control Plans -- prevent the organization's OWN personnel from computer abuse/fraud/theft
Rotation of duties (preventive AND detective)
Forced vacations (preventive AND detective)
Fidelity bonds (corrective)
Personnel Termination Control Plans -- define the procedures a company must follow when an employee leaves an organization (voluntarily or otherwise)
escort off premises
immediately reset password and cancel user access
confiscate key cards and access passes
Acquistion and Development
Process #3: Identify Automated Solutions
To ensure best approach to satify the users' IT Requirements:
Define information requirements
Formulate alternative course of action
Conduct technological and operational studies
Assess risk associated with the automated IT requirements
Process #4: Develop and Acquire IT Solutions -- NOTE: a given business process may use more than one application
Develop and acquire application software/infrastructure
SDLC should include procedures to create design specifications for each new, or significantly modified, application and to verify those specs against the user requirements
Specs should be developed with systems users and approved by management and user departments
SDLC should include procedures to ensure that platforms support the new or modified application.
Assessment should be made of the impact of new hardward and software on performance of CURRENT OVERALL system
Procedures should be in place to ensure that hardware/systems software are installed, maintained, and changed to continue to support business processes.
Develop service level requirements and application documentation:
Provide for preparation and maintenance fo service level requiremetns, including: availability, reliability, performance, capacity for growth, levels of user support, disaster recovery, security, minimal system functionality, and service charges
These will become benchmarks for the system's future performance and for any potential future acquisition!
Systems Documentation
Program Documentation
Operation/User Manuals
Training Materials
Process #5: Integrate IT Solutions into Operational Processes
* Ensure that new or signifigantly revised system is suitable for operations.
Provide for a planned, tested, controlled,and approved conversion to the new system
After installation, perform review to determine new system has met users' needs in cost-effective manner
NOTE: when organizations implement ERP systems, successful integration of new information systems modules into existing information and operations processes becomes more difficult and more important.
Process #6: Manage Changes to Existing IT Systems
Ensure processing integrity between versions of IT systems from period to period are consistent, by:
Impact Assessment
Documentation
System change requests
Release and distribution policies and or procedures.
PROGRAM CHANGE CONTROLS -- provide assurance that all modifications to programs are authorized and that the changes are completed, tested, and properly implemented.
CHANGES IN DOCUMENTATION SHOULD MIRROR CHANGES MADE TO RELATED PROGRAMS
Delivery and Support
Process #7: Deliver Required IT Services
Define service levels
Manage Third-party services
Manage IT Operations
Manage data backups
Identify and allocate costs
Process #8: Ensure Security and Continuous Service
Ensure Continuous Service (Disastery Recovery Procedures)
BUSINESS CONTINUITY PLANNING -- identifies events that may threaten an organization and provides a framework to ensure that the organization will continue to operate when the threatened event occurs, or will resume operations with a mininum of disruption
Establish a formal business continuity program (hub of the wheel in diagram)
Understand your business
Create business continuity strategies
Develop and implement a business continuity response
Build and embed a business continuity management culture in the organization
Maintain and audit the business continuity plan
MUST have alternative computer facilities and related resources that can be used should the primary facilities and resources become unavailable. This INCLUDES the programs, data, and documentation necessary!
Normal backup and recovery plans
Continuous Data Protection (CDP)
Mirror site
Electronic vaulting-data is backed up continuously so that is is available to be retrieved if a disaster occurs
Hot site-data center that is equipped to function if necessary due to disasters such as hurricanes
Cold site-data center that takes longer to set up but it is also less expensive
Restricting Access to Computing Resources (Location dictates access) -- management has legal responsibility to protect organization's assets, including information
CONTROL PLANS for restricting Physical Access to Computer Facilities (e.g., biometric ID system)
CONTROL PLANS for restricting Logical Access to Stored Programs, Data, and Documentation (e.g. security module, passwords, firewall, intrusion detection system (IDS), intrusion prevention system (IPS), library controls, program change controls, segregation of duties, etc)
Ensure Physical Security (Disaster Precautions)
Major threats:
Fire and water damage
Power outages
Lax data backup procedures
Process#9: Provide Support Services
* Identify and train all internal and external users
Assistance through a "help desk" function
Monitoring -- without the feedback provided by the monitoring process, system of internal control is not complete.
Process#10: Monitor and Evaluate the Processes
Gather data about processes
Generate performance reports
Independent audits should be conducted on a regular basis -- this is especially important for e-businesses!
WebTrust and SysTrust
Segregation of Duties:
An organizational control plan that consists of separating the four basic functions of event processing--authorizing, executing, recording, and safeguarding resources resulting from consummating events.
Segregating Events Processing:
Function 1: Authorizing events - approve phases of event processing
Approve customer credit, approve picking inventory and sending inventory to shipping department, approve shipping inventory to customer, approve recording accounting entries
Function 3: Recording events - record events in books of original entry, post event summaries to the general ledger
Record Event Details - debit A/R subsidiary ledger, credit sales journal; debit cost of goods sold - inventory ledger, credit inventory - inventory ledger
Post Event GL Summaries - debit A/R, credit sales; debit cost of goods sold, credit inventory
Function 4: Safeguarding resources resulting from consummating events - physically protect resources, maintain accountability of physical resources
Physically Protect Resources - safeguard inventory while in storage at warehouse, while in transit to shipping department, and while being prepared for shipment to customer.
Maintain Accountability - examine and count inventory periodically, and compare physical total to recorded totalThe concept underlying segregation of duties is simple enough: Through the design of an appropriate organizational structure, no single employee should be in a position both to perpetrate and conceal frauds, errors, or other kinds of system failures. pg 268.
Segregating Information Systems Functions:
Done to control unauthorized use of and/or changes to the computer and its stored data and programs. It consists of seperating systems development and operations in order to prevent programmers from operating the computer (reduces the possibility of unauthorized data input or unauthorized modification of stored data and programs).
Personnel Control Plans:
Key Control Issues: IT personnel resources must be managed so as to maximize their contributions to the IT processes. Specific attention must be paid to recruitment, promotion, personnel qualifications, training, backup, performance evaluation, job change, and termination. An organization that does not have a critical mass of honest, competent employees will find it virtually impossible to implement other control plans.
Business risks to avoid:
Dishonest employees
Incompetent employees
Dissatisfied/disgrunted employees
Unmotivated employees
Excessive employee turnover
Inadequate staffing
Selecting and Hiring Plans: Candidates applying for positions should be carefully screened, selected, and hired. the requirement for a technical background and the shortage of qualified applicants make the selection and hiring of systems personnel particularly important.
Retention Plans: Retaining qualified personnel can be even more difficult than hiring them. Again, the problem is especially critical when dealing with systems personnel. Companies should make every effort to provide creative and challenging work opportunities and, when possible, to offer open channels to management-level positions.There are many reasons why workforce attrition has become a critical concern:
The high cost of recruiting, hiring and training a new employee
Corporate productivity is hurt by losing key players
Losing talent to competitors can lessen competitive advantage.
High turnover can affect the morale of the remaining workforce.
New, inexperienced employees can cause customer dissatisfaction
Personnel Development Plans: Training should be used to correct deficencies in an employee's background and to keep the employee up to date with company procedures. Performance reviews are useful for the following reasons:
Determines if the employee is satisfying the requirements of the position
Assesses an employees strengths and weaknesses
Determines salary adjustments and promotions
Opportunities for training and personal growth
Personnel Management Plans:
Personal Planning Control Plans: project future managerial and technical skills of the staff, anticipate turnover, and develop a strategy for filling necessary positions.
Job Description Control Plans: lay out the responsiblilities for each position on an organization chart and identify the resources to be used in performing those responsiblities.
Supervision Control Plans: the process of approving, monitoring, and observing the work of others.
Personnel Security Control Plans: designed to prevent the organizations own personnel from committing acts of computer abuse, fraud, or theft.
Rotation of Duties: require an employee to alternate jobs periodically.
Forced Vacation: require an employee to take leave from the job and substitutes another employee in his or her place.
Fidelity Bond: indemnifies a company in case it suffers losses from defalcations committed by its employees.
Termination Control Plans: set of procedures a company follows when an employee voluntarily or involuntarily leaves an organization.
Controlling Information Systems: IT Processes:
In chapter 8 we look at Controls specifically designed for the Information Systems Function.COBIT (Control Objectives for Information & Related Technology)
COBIT is the widely adopted framework for IT governance and IT controls. It was created by the Information Systems Audit and Control Association and the IT Governance Institute in 1992. Its purpose is to provide guidance on the best practices for the management of information technology. IT resources (see below) must be managed by IT control processes in a way that allows an organization to achieve its objectives. COBIT supports IT governance by providing a framework to ensure that IT is aligned with the business, IT maximizes benefits, IT resources are used responsibly and IT risks are managed appropriately, thus reducing the possibility that risks will occur.IT resources:
COBIT's defintion of Control: "The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected."
-Difference between the COBIT's definition and book definition is the COBIT definition adds the idea that controls should address "undesirable events."
More Information on COBIT
http://www.itmanagersjournal.com/articles/11014?tid=88 More details about COBIT
Information Systems Function (ISF):
The information systems function in an organization has a broad responsibility to plan, develop or acquire, implement, and manage an infrastructure of information technology (computers and communications), data (both internal and external), and enterprise-wide information processing systems. It has the responsibility to track new information technology and assist in incorporating it into the organization's strategy, planning, and practices. The function also supports departmental and individual information technology systems. The technology employed may range from large centralized to mobile distributed systems. The development and management of the information technology infrastructure and processing systems may involve organizational employees, consultants, and outsourcing services.Types of Organizational structures for ISF:
Key control concerns (similar to business exposures) for the various ISF functions.
COBIT Control Process Domains:
The four domains are: Planning and Organizing (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (M). After each of the first three domains, there is feedback that goes back to monitoring and evaluating to make sure that everything is running smoothly. There are 34 processes in total for COBIT.- Planning and Organization
- Process #1: Establish Strategic Vision for Information Technology
This is the process whereby the management of the information services takes steps to make sure that the organization is getting the most out of the IT resources employed by the company. They are attempting to ensure that the organization is employing their IT resources in a way that will be ready to successfully respond to any competitive threats that arise or take advantage of any competitive opportunities that arise.* Ensure that new or signifigantly revised system is suitable for operations.
* Identify and train all internal and external users
Segregation of Duties:
An organizational control plan that consists of separating the four basic functions of event processing--authorizing, executing, recording, and safeguarding resources resulting from consummating events.Segregating Events Processing:
Function 1: Authorizing events - approve phases of event processing
Function 2: Executing events - physically move resources, complete source documents
Function 3: Recording events - record events in books of original entry, post event summaries to the general ledger
Function 4: Safeguarding resources resulting from consummating events - physically protect resources, maintain accountability of physical resources
Segregating Information Systems Functions:
Done to control unauthorized use of and/or changes to the computer and its stored data and programs. It consists of seperating systems development and operations in order to prevent programmers from operating the computer (reduces the possibility of unauthorized data input or unauthorized modification of stored data and programs).
Personnel Control Plans:
Key Control Issues: IT personnel resources must be managed so as to maximize their contributions to the IT processes. Specific attention must be paid to recruitment, promotion, personnel qualifications, training, backup, performance evaluation, job change, and termination. An organization that does not have a critical mass of honest, competent employees will find it virtually impossible to implement other control plans.Selecting and Hiring Plans: Candidates applying for positions should be carefully screened, selected, and hired. the requirement for a technical background and the shortage of qualified applicants make the selection and hiring of systems personnel particularly important.
Retention Plans: Retaining qualified personnel can be even more difficult than hiring them. Again, the problem is especially critical when dealing with systems personnel. Companies should make every effort to provide creative and challenging work opportunities and, when possible, to offer open channels to management-level positions.There are many reasons why workforce attrition has become a critical concern:
Personnel Development Plans: Training should be used to correct deficencies in an employee's background and to keep the employee up to date with company procedures. Performance reviews are useful for the following reasons:
Personnel Management Plans: